Data privacy and security

Leading information protection practices

Deloitte is committed to becoming the profession's leader in setting the standard for protecting confidentiality, and continues to make major investments to protect client data and personally identifiable information.

Explore content

Few organizations are as active as Deloitte in helping business and government institutions predict, prepare for, and fight online attacks and build cyber resilience. Our vigilance begins at home, where it's critical that we protect our own data and the information we hold on our people and member firm clients.

Like many organizations, Deloitte is aggressively assessing, testing, and adopting the best new technologies and services to understand how we can meet privacy and security standards.

The Deloitte network has moved rapidly to keep its privacy and security policies and practices up-to-date with global mandates and stakeholder expectations. DTTL's global policy on information security requires member firms to institute a wide range of security measures, covering areas such as virus protection, data backup and recovery, encryption, password authentication, access to systems, and network security.

Deloitte member firm compliance with security policies is tracked through an annual IT Standards, Risk, and Maturity Assessment. Compliance with security policies at the global hosting center level is monitored through the DTTL Global Technology Services (GTS) Security Forum.

Self-assessment and education

DTTL has a privacy self-assessment system to monitor privacy program maturity across the network using 20 different criteria. This is helping DTTL and its member firms understand which tools, if any, could further strengthen information protection and privacy within Deloitte. DTTL's information security specialists provide guidance to member firms to strengthen their information security regimes when necessary.

Deloitte continually provides security education programs for member firm practitioners and security professionals. All GTS staff globally are required to fulfill 40 hours of annual learning, and several have obtained globally recognized security certifications. In addition, in FY2014, three regional workshops were conducted for in-house Deloitte security professionals, an e-learning program on social engineering rolled out, and Deloitte member firms participated in a global security week campaign to enhance practitioner information security awareness.

Emphasis on confidentiality

Deloitte continues to make major investments to protect client data and personally identifiable information. DTTL added a new Global Office of Confidentiality in 2014 to enhance the Deloitte network’s approach to confidentiality and make its response to risk a strategic enabler.

Deloitte is committed to becoming the profession's leader in setting the standard for protecting confidential information. DTTL has created the position of chief confidentiality officer (CCO), reporting to both DTTL’s chief risk officer and chief information officer. The CCO will lead the business imperative of working with member firms to establish seamless confidentiality controls and processes across the Deloitte network. DTTL is one of the few organizations in the world that has a CCO. The group also is asking member firms to appoint individuals to fill local roles similar to that of the DTTL CCO.

Safe Harbor Certification

In November 2013, Deloitte Touche Tohmatsu Services, Inc. (DTTS) recertified its adherence to the Safe Harbor Framework, which bridges differences between U.S. and European Union privacy laws. Re-certification follows an extensive annual privacy-verification process. The Safe Harbor Framework was developed by the U.S. Department of Commerce in consultation with the European Commission, and provides a way for U.S. organizations to achieve an adequate level of protection of personal data as required by the European Union Data Protection Directive 95/46/EC.

The Safe Harbor Certification assists in meeting EU data protection requirements with respect to data held on global systems in the United States.

Because many member firm clients are multinational organizations that expect seamless, safe, and private data transfer as part of service delivery, Deloitte is continuously reviewing its compliance processes to facilitate the movement of internal and member firm client data in line with local legal requirements.

In this report, the terms Deloitte, our, we and us are used to refer to the Deloitte Touche Tohmatsu Limited (DTTL) network of member firms or to one or more DTTL member firms. See additional information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms.